diff options
author | t3sserakt <t3ss@posteo.de> | 2019-06-25 15:53:30 +0200 |
---|---|---|
committer | t3sserakt <t3ss@posteo.de> | 2019-06-25 15:53:30 +0200 |
commit | 28d3e0676f262e495c6d5c49bbedd5ce65502cee (patch) | |
tree | 3631b2f033a913aac3cd806e541e3391f0cec7e5 /src/gns | |
parent | d2ed51b63d955a590a461e911a3d6fa6a9248fe5 (diff) | |
parent | 17611641fe7da3d2711e1f20eaf2ee81faf0e702 (diff) | |
download | gnunet-28d3e0676f262e495c6d5c49bbedd5ce65502cee.tar.gz gnunet-28d3e0676f262e495c6d5c49bbedd5ce65502cee.zip |
Merge branch 'master' into cadet_option
Diffstat (limited to 'src/gns')
-rw-r--r-- | src/gns/Makefile.am | 2 | ||||
-rw-r--r-- | src/gns/gnunet-gns-proxy-ca.template | 303 | ||||
-rw-r--r-- | src/gns/gnunet-gns-proxy-setup-ca.in | 45 |
3 files changed, 337 insertions, 13 deletions
diff --git a/src/gns/Makefile.am b/src/gns/Makefile.am index 0a68e7cba..932b8d218 100644 --- a/src/gns/Makefile.am +++ b/src/gns/Makefile.am | |||
@@ -81,7 +81,7 @@ noinst_PROGRAMS = \ | |||
81 | gnunet-gns-benchmark | 81 | gnunet-gns-benchmark |
82 | 82 | ||
83 | pkgdata_DATA = \ | 83 | pkgdata_DATA = \ |
84 | openssl.cnf | 84 | gnunet-gns-proxy-ca.template |
85 | 85 | ||
86 | if HAVE_MHD | 86 | if HAVE_MHD |
87 | if LINUX | 87 | if LINUX |
diff --git a/src/gns/gnunet-gns-proxy-ca.template b/src/gns/gnunet-gns-proxy-ca.template new file mode 100644 index 000000000..32ee27fcd --- /dev/null +++ b/src/gns/gnunet-gns-proxy-ca.template | |||
@@ -0,0 +1,303 @@ | |||
1 | # X.509 Certificate options | ||
2 | # | ||
3 | # DN options | ||
4 | |||
5 | # The organization of the subject. | ||
6 | organization = "GNU" | ||
7 | |||
8 | # The organizational unit of the subject. | ||
9 | unit = "GNUnet" | ||
10 | |||
11 | # The locality of the subject. | ||
12 | locality = World | ||
13 | |||
14 | # The state of the certificate owner. | ||
15 | # state = "Attiki" | ||
16 | |||
17 | # The country of the subject. Two letter code. | ||
18 | country = ZZ | ||
19 | |||
20 | # The common name of the certificate owner. | ||
21 | cn = "GNS Proxy CA" | ||
22 | |||
23 | # A user id of the certificate owner. | ||
24 | #uid = "clauper" | ||
25 | |||
26 | # Set domain components | ||
27 | #dc = "name" | ||
28 | #dc = "domain" | ||
29 | |||
30 | # If the supported DN OIDs are not adequate you can set | ||
31 | # any OID here. | ||
32 | # For example set the X.520 Title and the X.520 Pseudonym | ||
33 | # by using OID and string pairs. | ||
34 | #dn_oid = "2.5.4.12 Dr." | ||
35 | #dn_oid = "2.5.4.65 jackal" | ||
36 | |||
37 | # This is deprecated and should not be used in new | ||
38 | # certificates. | ||
39 | # pkcs9_email = "none@none.org" | ||
40 | |||
41 | # An alternative way to set the certificate's distinguished name directly | ||
42 | # is with the "dn" option. The attribute names allowed are: | ||
43 | # C (country), street, O (organization), OU (unit), title, CN (common name), | ||
44 | # L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship, | ||
45 | # countryOfResidence, serialNumber, telephoneNumber, surName, initials, | ||
46 | # generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name, | ||
47 | # businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName, | ||
48 | # jurisdictionOfIncorporationStateOrProvinceName, | ||
49 | # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs. | ||
50 | |||
51 | #dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" | ||
52 | |||
53 | # The serial number of the certificate | ||
54 | # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab). | ||
55 | # Comment the field for a random serial number. | ||
56 | #serial = 007 | ||
57 | |||
58 | # In how many days, counting from today, this certificate will expire. | ||
59 | # Use -1 if there is no expiration date. | ||
60 | expiration_days = 3650 | ||
61 | |||
62 | # Alternatively you may set concrete dates and time. The GNU date string | ||
63 | # formats are accepted. See: | ||
64 | # https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html | ||
65 | |||
66 | #activation_date = "2004-02-29 16:21:42" | ||
67 | #expiration_date = "2025-02-29 16:24:41" | ||
68 | |||
69 | # X.509 v3 extensions | ||
70 | |||
71 | # A dnsname in case of a WWW server. | ||
72 | #dns_name = "www.none.org" | ||
73 | #dns_name = "www.morethanone.org" | ||
74 | |||
75 | # An othername defined by an OID and a hex encoded string | ||
76 | #other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e" | ||
77 | #other_name_utf8 = "1.2.4.5.6 A UTF8 string" | ||
78 | #other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string" | ||
79 | |||
80 | # Allows writing an XmppAddr Identifier | ||
81 | #xmpp_name = juliet@im.example.com | ||
82 | |||
83 | # Names used in PKINIT | ||
84 | #krb5_principal = user@REALM.COM | ||
85 | #krb5_principal = HTTP/user@REALM.COM | ||
86 | |||
87 | # A subject alternative name URI | ||
88 | #uri = "https://www.example.com" | ||
89 | |||
90 | # An IP address in case of a server. | ||
91 | #ip_address = "192.168.1.1" | ||
92 | |||
93 | # An email in case of a person | ||
94 | email = "bounce@gnunet.org" | ||
95 | |||
96 | # TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS | ||
97 | # extension features to be provided by the server. In practice this is used | ||
98 | # to require the Status Request (extid: 5) extension from the server. That is, | ||
99 | # to require the server holding this certificate to provide a stapled OCSP response. | ||
100 | # You can have multiple lines for multiple TLS features. | ||
101 | |||
102 | # To ask for OCSP status request use: | ||
103 | #tls_feature = 5 | ||
104 | |||
105 | # Challenge password used in certificate requests | ||
106 | challenge_password = 123456 | ||
107 | |||
108 | # Password when encrypting a private key | ||
109 | #password = secret | ||
110 | |||
111 | # An URL that has CRLs (certificate revocation lists) | ||
112 | # available. Needed in CA certificates. | ||
113 | #crl_dist_points = "https://www.getcrl.crl/getcrl/" | ||
114 | |||
115 | # Whether this is a CA certificate or not | ||
116 | ca | ||
117 | |||
118 | # Subject Unique ID (in hex) | ||
119 | #subject_unique_id = 00153224 | ||
120 | |||
121 | # Issuer Unique ID (in hex) | ||
122 | #issuer_unique_id = 00153225 | ||
123 | |||
124 | #### Key usage | ||
125 | |||
126 | # The following key usage flags are used by CAs and end certificates | ||
127 | |||
128 | # Whether this certificate will be used to sign data (needed | ||
129 | # in TLS DHE ciphersuites). This is the digitalSignature flag | ||
130 | # in RFC5280 terminology. | ||
131 | signing_key | ||
132 | |||
133 | # Whether this certificate will be used to encrypt data (needed | ||
134 | # in TLS RSA ciphersuites). Note that it is preferred to use different | ||
135 | # keys for encryption and signing. This is the keyEncipherment flag | ||
136 | # in RFC5280 terminology. | ||
137 | encryption_key | ||
138 | |||
139 | # Whether this key will be used to sign other certificates. The | ||
140 | # keyCertSign flag in RFC5280 terminology. | ||
141 | cert_signing_key | ||
142 | |||
143 | # Whether this key will be used to sign CRLs. The | ||
144 | # cRLSign flag in RFC5280 terminology. | ||
145 | #crl_signing_key | ||
146 | |||
147 | # The keyAgreement flag of RFC5280. It's purpose is loosely | ||
148 | # defined. Not use it unless required by a protocol. | ||
149 | #key_agreement | ||
150 | |||
151 | # The dataEncipherment flag of RFC5280. It's purpose is loosely | ||
152 | # defined. Not use it unless required by a protocol. | ||
153 | #data_encipherment | ||
154 | |||
155 | # The nonRepudiation flag of RFC5280. It's purpose is loosely | ||
156 | # defined. Not use it unless required by a protocol. | ||
157 | #non_repudiation | ||
158 | |||
159 | #### Extended key usage (key purposes) | ||
160 | |||
161 | # The following extensions are used in an end certificate | ||
162 | # to clarify its purpose. Some CAs also use it to indicate | ||
163 | # the types of certificates they are purposed to sign. | ||
164 | |||
165 | |||
166 | # Whether this certificate will be used for a TLS client; | ||
167 | # this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of | ||
168 | # extended key usage. | ||
169 | #tls_www_client | ||
170 | |||
171 | # Whether this certificate will be used for a TLS server; | ||
172 | # this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of | ||
173 | # extended key usage. | ||
174 | tls_www_server | ||
175 | |||
176 | # Whether this key will be used to sign code. This sets the | ||
177 | # id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage | ||
178 | # extension. | ||
179 | #code_signing_key | ||
180 | |||
181 | # Whether this key will be used to sign OCSP data. This sets the | ||
182 | # id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension. | ||
183 | #ocsp_signing_key | ||
184 | |||
185 | # Whether this key will be used for time stamping. This sets the | ||
186 | # id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension. | ||
187 | #time_stamping_key | ||
188 | |||
189 | # Whether this key will be used for email protection. This sets the | ||
190 | # id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension. | ||
191 | #email_protection_key | ||
192 | |||
193 | # Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17). | ||
194 | #ipsec_ike_key | ||
195 | |||
196 | ## adding custom key purpose OIDs | ||
197 | |||
198 | # for microsoft smart card logon | ||
199 | # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2 | ||
200 | |||
201 | # for email protection | ||
202 | # key_purpose_oid = 1.3.6.1.5.5.7.3.4 | ||
203 | |||
204 | # for any purpose (must not be used in intermediate CA certificates) | ||
205 | # key_purpose_oid = 2.5.29.37.0 | ||
206 | |||
207 | ### end of key purpose OIDs | ||
208 | |||
209 | ### Adding arbitrary extensions | ||
210 | # This requires to provide the extension OIDs, as well as the extension data in | ||
211 | # hex format. The following two options are available since GnuTLS 3.5.3. | ||
212 | #add_extension = "1.2.3.4 0x0AAB01ACFE" | ||
213 | |||
214 | # As above but encode the data as an octet string | ||
215 | #add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)" | ||
216 | |||
217 | # For portability critical extensions shouldn't be set to certificates. | ||
218 | #add_critical_extension = "5.6.7.8 0x1AAB01ACFE" | ||
219 | |||
220 | # When generating a certificate from a certificate | ||
221 | # request, then honor the extensions stored in the request | ||
222 | # and store them in the real certificate. | ||
223 | #honor_crq_extensions | ||
224 | |||
225 | # Alternatively only specific extensions can be copied. | ||
226 | #honor_crq_ext = 2.5.29.17 | ||
227 | #honor_crq_ext = 2.5.29.15 | ||
228 | |||
229 | # Path length contraint. Sets the maximum number of | ||
230 | # certificates that can be used to certify this certificate. | ||
231 | # (i.e. the certificate chain length) | ||
232 | #path_len = -1 | ||
233 | #path_len = 2 | ||
234 | |||
235 | # OCSP URI | ||
236 | # ocsp_uri = https://my.ocsp.server/ocsp | ||
237 | |||
238 | # CA issuers URI | ||
239 | # ca_issuers_uri = https://my.ca.issuer | ||
240 | |||
241 | # Certificate policies | ||
242 | #policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 | ||
243 | #policy1_txt = "This is a long policy to summarize" | ||
244 | #policy1_url = https://www.example.com/a-policy-to-read | ||
245 | |||
246 | #policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 | ||
247 | #policy2_txt = "This is a short policy" | ||
248 | #policy2_url = https://www.example.com/another-policy-to-read | ||
249 | |||
250 | # The number of additional certificates that may appear in a | ||
251 | # path before the anyPolicy is no longer acceptable. | ||
252 | #inhibit_anypolicy_skip_certs 1 | ||
253 | |||
254 | # Name constraints | ||
255 | |||
256 | # DNS | ||
257 | #nc_permit_dns = example.com | ||
258 | #nc_exclude_dns = test.example.com | ||
259 | |||
260 | |||
261 | #nc_permit_email = "nmav@ex.net" | ||
262 | |||
263 | # Exclude subdomains of example.com | ||
264 | #nc_exclude_email = .example.com | ||
265 | |||
266 | # Exclude all e-mail addresses of example.com | ||
267 | #nc_exclude_email = example.com | ||
268 | |||
269 | # IP | ||
270 | #nc_permit_ip = 192.168.0.0/16 | ||
271 | #nc_exclude_ip = 192.168.5.0/24 | ||
272 | #nc_permit_ip = fc0a:eef2:e7e7:a56e::/64 | ||
273 | |||
274 | |||
275 | # Options for proxy certificates | ||
276 | #proxy_policy_language = 1.3.6.1.5.5.7.21.1 | ||
277 | |||
278 | |||
279 | # Options for generating a CRL | ||
280 | |||
281 | # The number of days the next CRL update will be due. | ||
282 | # next CRL update will be in 43 days | ||
283 | #crl_next_update = 43 | ||
284 | |||
285 | # this is the 5th CRL by this CA | ||
286 | # The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab). | ||
287 | # Comment the field for a time-based number. | ||
288 | # Time-based CRL numbers generated in GnuTLS 3.6.3 and later | ||
289 | # are significantly larger than those generated in previous | ||
290 | # versions. Since CRL numbers need to be monotonic, you need | ||
291 | # to specify the CRL number here manually if you intend to | ||
292 | # downgrade to an earlier version than 3.6.3 after publishing | ||
293 | # the CRL as it is not possible to specify CRL numbers greater | ||
294 | # than 2**63-2 using hex notation in those versions. | ||
295 | #crl_number = 5 | ||
296 | |||
297 | # Specify the update dates more precisely. | ||
298 | #crl_this_update_date = "2004-02-29 16:21:42" | ||
299 | #crl_next_update_date = "2025-02-29 16:24:41" | ||
300 | |||
301 | # The date that the certificates will be made seen as | ||
302 | # being revoked. | ||
303 | #crl_revocation_date = "2025-02-29 16:24:41" | ||
diff --git a/src/gns/gnunet-gns-proxy-setup-ca.in b/src/gns/gnunet-gns-proxy-setup-ca.in index cd5d8c70f..b19b6c001 100644 --- a/src/gns/gnunet-gns-proxy-setup-ca.in +++ b/src/gns/gnunet-gns-proxy-setup-ca.in | |||
@@ -133,13 +133,29 @@ generate_ca() | |||
133 | 133 | ||
134 | # ------------- openssl | 134 | # ------------- openssl |
135 | 135 | ||
136 | GNUTLS_CA_TEMPLATE=@pkgdatadir@/gnunet-gns-proxy-ca.template | ||
136 | OPENSSLCFG=@pkgdatadir@/openssl.cnf | 137 | OPENSSLCFG=@pkgdatadir@/openssl.cnf |
137 | if test -z "`openssl version`" > /dev/null | 138 | CERTTOOL="" |
139 | OPENSSL=0 | ||
140 | if test -z "`gnutls-certtool --version`" > /dev/null | ||
138 | then | 141 | then |
139 | warningmsg "'openssl' command not found. Please install it." | 142 | # We only support gnutls certtool for now |
140 | infomsg "Cleaning up." | 143 | if test -z "`certtool --version | grep gnutls`" > /dev/null |
141 | rm -f $GNSCAKY $GNSCANO $GNSCERT | 144 | then |
142 | exit 1 | 145 | warningmsg "'gnutls-certtool' or 'certtool' command not found. Trying openssl." |
146 | if test -z "`openssl version`" > /dev/null | ||
147 | then | ||
148 | $OPENSSL=1 | ||
149 | else | ||
150 | warningmsg "Install either gnutls certtool or openssl for certificate generation!" | ||
151 | infomsg "Cleaning up." | ||
152 | rm -f $GNSCAKY $GNSCERT | ||
153 | exit 1 | ||
154 | fi | ||
155 | fi | ||
156 | CERTTOOL="certtool" | ||
157 | else | ||
158 | CERTTOOL="gnutls-certtool" | ||
143 | fi | 159 | fi |
144 | if [ -n "${GNUNET_CONFIG_FILE}" ]; then | 160 | if [ -n "${GNUNET_CONFIG_FILE}" ]; then |
145 | GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}" | 161 | GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}" |
@@ -149,13 +165,18 @@ generate_ca() | |||
149 | GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}` | 165 | GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}` |
150 | mkdir -p `dirname $GNS_CA_CERT_PEM` | 166 | mkdir -p `dirname $GNS_CA_CERT_PEM` |
151 | 167 | ||
152 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" | 168 | if test 1 -eq $OPENSSL |
153 | 169 | then | |
154 | infomsg "Removing passphrase from key" | 170 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" |
155 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO | 171 | infomsg "Removing passphrase from key" |
156 | 172 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO | |
157 | infomsg "Making private key available to gnunet-gns-proxy" | 173 | cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM |
158 | cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM | 174 | else |
175 | $CERTTOOL --generate-privkey --outfile $GNSCAKY | ||
176 | $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT | ||
177 | infomsg "Making private key available to gnunet-gns-proxy" | ||
178 | cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM | ||
179 | fi | ||
159 | } | 180 | } |
160 | 181 | ||
161 | importbrowsers() | 182 | importbrowsers() |